The Trusted Insider

The U.S. military’s response to all the problems it has been having with sensitive documents appearing on WikiLeaks is to prohibit the use of removable media such as USB drives. They are even threatening court marshals. Here is an article on CNN that gets into more detail on this:

Will this be an effective way to stop information loss? It will certainly make things a little harder to get large amounts of data out of their secure networks. But, in order to be useful, information does need to move around and be accessed on multiple platforms by multiple people. As the information moves around, there are opportunities for it to move out of your organization's control. Is there an effective technical control that could be put in place to mitigate this risk?

The problem here is not technical. No technical control failed; it’s that a trusted user, with appropriate credentials and the required access needed to perform their job, has decided to violate their organization’s (the U.S. military) policies and trust. The people who are uploading this information are intentionally misusing the access that they have been granted. This is probably the worst risk that Information Security professionals everywhere have to deal with: the Trusted Insider. You know them: the high performers with positive attitudes who have been around a long time, are working on important initiatives and who would never do anything wrong.

We can monitor logs, block websites, restrict network protocols, ban USB drives, disable DVD burners, encrypt data at rest, layer on more and more technical controls … Will this address the issue and mitigate the risk?

Putting technical controls in place, like banning USB drives, makes it harder for the Trusted Insider to do bad things, but they are still there in your organization, accessing your most sensitive information. How do you mitigate the risk of information misuse by the Trusted Insider?

We'd like to hear your thoughts on this issue - please comment below.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust.